Hi ~ Thanks for your reply
The table is like this....
index=nessus severity!=informational severity!=low host-ip=10.1.1.249
| fields host_start plugin_name host-ip severity
| bin _time span=1d
| eval n=relative_time(now(), "+26d@d")
| eval lastseen=strftime(_time, "%b %d %Y")
| streamstats current=f window=1 global=f last(plugin_name) as plugin_name_count by host-ip,lastseen
| where plugin_name!=plugin_name_count
| chart useother=true values(host-ip) by plugin_name_count,lastseen
| sort -"_time"
... View more